RE: coldfusion sql injection

Wed, 23 Aug 2006 07:41:04 -0700 

The string is also autoescaped even if you don't use cfqueryparam... at
least on SQL server.  Is it not with other DB systems?



> -----Original Message-----
> From: Jeff Guillaume [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 23, 2006 10:19 AM
> To: CF-Talk
> Subject: Re: coldfusion sql injection
> 
> Let alone the security aspect, it also improves performance by causing
> your database server to bind the variables before executing the query.
> 
> Straight from Macromedia:
> 
> http://tinyurl.com/oo49m (link to docs)
> 
> - Allows the use of SQL bind parameters, which improves performance.
> - Ensures that variable data matches the specified SQL type.
> - Allows long text fields to be updated from a SQL statement.
> - Escapes string variables in single-quotation marks.
> 
> Example:
> 
> <cfquery name = "getEmployees" dataSource = "cfdocexamples">
>    SELECT * FROM employees
>    WHERE LastName = <cfqueryparam value = "#LastName#"
>                         cfsqltype = "cf_sql_char" maxLength = "17"/>
> </cfquery>
> 
> In this case, cfqueryparam performs the following checks:
> 
> - It ensures that LastName contains a string.
> - It ensures that the string is 17 characters or less.
> - It escapes the string with single-quotation marks so that it appears as
> a single value to the database. Even if a hacker passes a bad URL, it
> appears as follows:
> WHERE LastName = 'Smith DELETE FROM MyCustomerTable'.
> 
> >That's the thing... When is cfqueryparam REALLY necessary for security?
> I
> >want to see some examples that require cfqueryparam.
> >
> >Russ
> >
> >>
> 
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250731
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to